Date: Thu, 27 Apr 2017 05:56:57 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218907] tcpmd5 kernel module on STABLE/11 doesn't work with vultr bgp via bird Message-ID: <bug-218907-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218907 Bug ID: 218907 Summary: tcpmd5 kernel module on STABLE/11 doesn't work with vultr bgp via bird Product: Base System Version: 11.0-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: freebsd-bugs@joe.mulloy.me Hello, I have setup some servers on the cloud provider Vultr and I have set up a floating IP for load balancing/high availability via BGP. Vultr's BGP system requires using an MD5 TCP signature which before r313330 in current and r31= 5514 in stable/11 was not available as a module and required compiling a custom kernel with the TCP_SIGNATURE option enabled. I prefer to be able to just u= se freebsd-update so I found this quite inconvenient, but I am dealing with compiling and distributing a custom kernel anyways. However with this kerne= l my servers keep freezing with no useful error message which is incredibly frustrating. I figured that perhaps now that this functionality has been getting some work that whatever bug I'm hitting may be fixed in STABLE/11. = So I tried using the kernel in the snapshot tarball for STABLE/11, but it's lack= ing the IPSEC_SUPPORT option, so I still have to compile my own kernel for the tcpmd5 module to load/work. I've done this, I have built the STABLE/11 kern= el from r317316 and the module loads and bird doesn't complain about the TCP M= D5 feature being missing. However BIRD isn't able to actually establish a connection to the other end, so it seems the TCP MD5 feature is now broken.= I haven't upgraded my userland, it's still 11.0-RELEASE-p9 but I believe it should still work fine on an 11/STABLE kernel. Perhaps I'm doing something wrong here, but I can't figure out a working solution and I can't find any documentation. It seems this md5 tcp signature feature is rarely used and hard to even turn on.=20 Please let me know what I can do to assist in debugging these issues. I'm g= lad that tcp md5 signatures will finally be easy to enable. I hope it won't be = to hard to get this fixed. Issues: 1. IPSEC_SUPPORT still not enabled in GENERIC kernel, so I still have to compile my own kernel for the tcpmd5 kernel module to actually work 2. The tcp md5 signature feature doesn't seem to work, the other end reject= s my server as if I had the wrong password. Vultr BGP Guide: https://www.vultr.com/docs/high-availability-on-vultr-with-floating-ip-and-= bgp Bug tracking the splitting of ipsec and tcp md5 to seperate kernel modules. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212018 Bird output showing that BGP session can't be established. root@vps-vu-nj-1b:~ # birdc show proto all vultr BIRD 1.6.3 ready. name proto table state since info vultr BGP master start 05:14:24 Connect Socket: Connect= ion refused Preference: 100 Input filter: REJECT Output filter: ACCEPT Routes: 0 imported, 0 exported, 0 preferred Route change stats: received rejected filtered ignored accep= ted Import updates: 0 0 0 0 = 0 Import withdraws: 0 0 --- 0 = 0 Export updates: 0 0 0 --- = 0 Export withdraws: 0 --- --- --- = 0 BGP state: Connect Neighbor address: 169.254.169.254 Neighbor AS: 64515 Last error: Socket: Connection refused --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218907-8>